From: yohg...@gmail.com [mailto:yohg...@gmail.com] On Behalf Of Yasuo Ohgaki > > Hi, > > It seems motivation of this RFC is better to be stated. > Motivation to have this RFC is > > 1. "File Includes" is fatal security breach. > 2. The reason why PHP is unsecure to "File Include" than other language is > "Mandatory embed mode" > 3. Non mandatory embed mode gives option users to better security. > > With this RFC, PHP could be as safe as other scripting languages with respect > to file includes. This RFC is fully compatible with current code. Writing > backward compatible code is as few as 3 lines.
No, I understood the reasons, but I reject the assumption that you are making. The "embed mode" doesn't have a measurable impact on the security of this system. The vulnerable code can be exploited in countless ways with or without embed mode. > Most of security measures are not perfect solutions, but mitigation, just > like canary and DEP. I suppose people who are concerned with security > understand the value of these protections. Look, I'm the first to stand up for improved security, but that's now what we have here. Just calling this a security improvement doesn't make it true. > Is there any good reasons not to have non mandatory embed mode as a > additional security measure? Why not to make it harder for attackers to > exploit? Yes. This fundamentally breaks the language. PHP was first and foremost a template language. In fact, the strong template integration is a huge part of why one would build a web site in PHP, not C++. > In short, I'm really annoyed to hear "PHP is insecure than > Ruby/Perl/Python/etc" Anyone who says this is wrong. Ruby is in fact far less secure, because it doesn't even have cursory escaping functions and a variety of unpredictable behaviors (implicit returns) can lead to wild results. John Crenshaw Priacta, Inc. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
